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CONTINUOUS SECURITY SYSTEM BASED ON MOTION CODE 

The present invention relates to secure comput- 
er systems in general. 

There exists a significant amount of activity 
in the field of on-line handwriting analysis. The prior 
art current to 1990 is reviewed in "The State of the Art 
in On-Line Handwriting Recognition" by Charles C. Tappert 
et al t IEEE Transactions on Pattern Analysis and Machine 
Intelligence, Vol. 12, No. 8, August, 1990. 

Currently existing and proposed systems provid- 
ing handwriting analysis for alphanumeric input to a 
computer are generally geared towards recognition of how 
the generated trace looks. Accordingly, such systems 
employ digitizers or graphic tablets. The underlying 
assumption of such systems is that the variability of the 
trace is much lower than the variability of the hand 
movement which generated the trace. 

Signature verification systems, on the other 
hand, attempt to identify biometric characteristics of 
the writer and employ indications such as pressure and 
acceleration during writing. The assumption is that the 
signature is a ballistic movement, that is, a movement 
without closed loop feedback, and therefore that there is 
little variance in the hand movement. 

U.S. Patent 4,345,239 employs pen acceleration 
for use in a signature verification system. U.S. Patent 
5,054,088 employs both acceleration and pressure data 
characteristics of signature verification. As indicated 
by the above patents, pen acceleration is employed for 
signature verification because it is a personal feature, 
characteristic of each individual. 

U.S. Patent 4,817,034 describes a computerized 
handwriting duplication system employing a digitizer pad. 
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U.S. Patent 4,6*41,35*1 describes apparatus for recognizing 
and displaying handwritten characters and figures in 
which unrecognized stroke information remains on the 
display screen. U.S. Patent 4,715*102 describes a process 
and apparatus involving pattern recognition. U.S. Patent 
4,727.588 describes a system for automatic adjustment and 
editing of a handwritten text image, which preserves 
format information in a handwritten text. U.S. Patent 
4,703*511 describes a writing input and dynamics regener- 
ation device wherein a time dependent code is embedded in 
a writing path. 

U.S. Patent 4,513,437 describes a wri ting 
implement for use in a signature verification system. 

U.S. Patent 5.054,088 describes a method of 
segmenting and compressing dynamic signature data for 
storage on a limited capacity device. 

U.S. Patent 4,856,077 describes a method and 
device for signature verification using a pen having at 
its nib a light-emitting member and a light-sensitive 
member . 

U.S. Patent 4,495,644 describes a method for 
real-time signature verification using a transducer pad 
and a stylus. 

U.S. Patent 4,345,239 describes apparatus for 
determining pen acceleration for use in a signature 
verification system. 

U.S. Patent 4,263,592 describes an input pen 
usable with either a CRT display or a tablet input de- 
vice . 

U.S. Patent 4,122,435 describes a method for 
producing an electrical signal responsive to identifying 
characteristics of handwriting. The electrical signal is 
produced responsive to variations in writing pressure 
between a writing instrument and a ridged writing sur- 
f ace . 

U.S. Patent 4,751,741 describes pen-type char- 
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acter recognition apparatus, using data representing a 
change in pressure applied to a tip element of a pen. 

U.S. Patent 5,022,086 describes apparatus for 
collecting information on handwriting using a stylus with 
means for sensing force at a point on the surface, to- 
gether with a position sensing pad. 

U.S. Patent 5,247.137 discloses a pen input 
device suitable for signature verification. 

A piezoelectric sensor pen for obtaining pen 
point dynamics during writing is described in EerNisse et 
al . , "Piezoelectric Sensor Pen for Dynamic Signature 
Verification", Conference of the 1977 International 
Electron Devices Meeting, Washington, DC, December 1977. 
pp. 473-476. 

A related apparatus for reading handwriting is 
described in published PCT application PCT/US92/O8703 • 
Related apparatus and methods are also described in the 
following pending applications assigned to the applicant 
of the present application: Israel 104575; Israel 
108566; United States 08/227.275; and United States 
08/380,068. 

The disclosures of the above publications and 
of the publications cited therein are hereby incorporated 
by reference. The disclosures of all publications men- 
tioned in this specification and of the publications 
cited therein are hereby incorporated by reference. 

The present invention seeks to provide an 
improved secure computer system. 

The secure computer systems known in the art 
rely on identifying the user once or at specific times, 
and not continuously. Furthermore, existing secure 
systems need to take some action in order to achieve the 
identification of the user, for example, verifying a 
password, a fingerprint, etc. It is a particular object 
of the present invention to provide continuous security 
via continuous handwriting recognition without taking any 
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specific action for identification. 

Continuous security is believed to be important 
because of the increasingly widespread use of communica- 
tions networks, such as the Internet, in which secure 
communications are believed to be of great importance in 
preventing misuse. Continuous security has the particu- 
lar advantage of protecting a communications session at 
all times, thus preventing unauthorized use of an al- 
ready-authorized session. 

Furthermore, the present invention includes 
continuous security by means of input from a pen, the 
input including characteristics of handwriting of the 
user of the pen. The continuous security of the present 
invention is thus based on a biometric characteristic 
and, unlike a PIN or password, is not based on something 
known by a user, but rather on characteristics of the 
user himself. The prior art, as discussed above, does 
describe security based on identity verification by means 
of verifying the signature but does not describe continu- 
ous security based on handwriting recognition in general. 
The present invention, by contrast, includes continuous 
security based on general handwriting recognition. 

There is thus provided in accordance with a 
preferred embodiment of the present invention a secure 
computer system including at least one node connected to 
a communications network, and a pen input device provid- 
ing an output to the at least one node, the node includ- 
ing handwriting recognition apparatus operative to re- 
ceive the output of the pen and during substantially the 
entire duration of the data input from the pen to convert 
the output of the pen into writing characters, by recog- 
nizing the characteristics of the handwriting of a user 
of the pen and comparing the characteristics with refer- 
ence characteristics, whereby successful communication is 
conditional on successful conversion of the output of the 
pen into writing characters. 
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There is also provided in accordance with 
another preferred embodiment of the present invention a 
secure computer communications system including a commu- 
nications network, at least one terminal coupled to the 
communications network, at least one server coupled to 
the communications network, and a pen input device commu- 
nicating via the at least one terminal with the server, 
and wherein the server includes handwriting recognition 
apparatus operative to receive the output of the pen and 
during substantially the entire duration of the data 
input from the pen to convert the output of the pen into 
writing characters, by recognizing the characteristics of 
the handwriting of a user of the pen and comparing them 
with reference characteristics, whereby successful commu- 
nication of information via the server is conditional on 
successful conversion of the output of the pen into 
writing characters. 

Further in accordance with a preferred embodi- 
ment of the present invention communication from the pen 
input device to the server is secure by virtue of the 
communication being unintelligible in the absence of the 
availability of the reference characteristics. 

Still further in accordance with a preferred 
embodiment of the present invention the server is located 
in a secure location. 

Additionally in accordance with a preferred 
embodiment of the present invention the pen input device 
includes an accelerome ter and provides accelerome ter 
output signals to the terminal. 

Moreover in accordance with a preferred embodi- 
ment of the present invention the at least one terminal 
includes a display and is operative to provide visible 
indication of recognized symbols in response to an input 
from the server. 

Further in accordance with a preferred embodi- 
ment of the present invention the at least one terminal 
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includes a keyboard for the input of function commands. 

Still further in accordance with a preferred 
embodiment of the present invention information input by 
the pen input device, when and only when successfully 
recognized, is communicated to a utilization device. 

Additionally in accordance with a preferred 
embodiment of the present invention the characteristics 
of the handwriting of the user include a mapping of hand 
movements, and the reference characteristics include a 
reference mapping of hand movements for the user. 

Moreover in accordance with a preferred embodi- 
ment of the present invention the reference mapping 
includes a mapping of hand movements to characters for 
the user. 

Further in accordance with a preferred embodi- 
ment of the present invention the successful communica- 
tion is not conditional on any other user input in order 
to achieve security. 

Still further in accordance with a preferred 
embodiment of the present invention the successful commu- 
nication is not conditional on use of any additional 
system resources in order to achieve security. 

There is also provided in accordance with 
another preferred embodiment of the present invention a 
method for providing a secure computer system, the method 
including providing at least one node connected to a 
communications network, and providing a pen input device 
providing an output to the at least one node, the node 
including handwriting recognition apparatus operative to 
receive the output of the pen and during substantially 
the entire duration of the data input from the pen to 
convert the output of the pen into writing characters, by 
recognizing the characteristics of the handwriting of a 
user of the pen and comparing the characteristics with 
reference characteristics, whereby successful communica- 
tion is conditional on successful conversion of the 
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output of the pen into writing characters. 

There is also provided in accordance with 
another preferred embodiment of the present invention a 
method for providing a secure computer communications 
system, the method including providing a communications 
network, providing at least one terminal coupled to the 
communications network, providing at least one server 
coupled to the communications network, and providing a 
pen input device communicating via the at least one 
terminal with the server, and wherein the server includes 
handwriting recognition apparatus operative to receive 
the output of the pen and during substantially the entire 
duration of the data input from the pen to convert the 
output of the pen into writing characters, by recognizing 
the characteristics of the handwriting of a user of the 
pen and comparing them with reference characteristics, 
whereby successful communication of information via the 
server is conditional on successful conversion of the 
output of the pen into writing characters. 

The present invention will be understood and 
appreciated from the following detailed description, 
taken in conjunction with the drawings in which: 

Fig. 1 is a simplified pictorial illustration 
of a secure computer system constructed and operative in 
accordance with a preferred embodiment of the present 
invention ; 

Fig. 2 is a simplified block diagram illustra- 
tion of a preferred embodiment of a portion of the appa- 
ratus of Fig . 1 ; 

Fig. 3 is a schematic diagram of a preferred 
embodiment of the apparatus of Fig. 2; 

Fig. 4 is a simplified pictorial illustration 
of a preferred embodiment of the pen 25 of Fig. 1; 

Figs. 5A and 5B are a pictorial illustration of 
a preferred implementation of the switch 85 of Fig. 4; 

Fig. 6 is a schematic diagram of a preferred 
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implementation of the printed circuit board 105 of Fig. 

Fig. 7A is a simplified block diagram illustra- 
tion of a preferred implementation of the server 35 of 
Fig. 1; 

Fig. 7B is a simplified flowchart illustration 
of a preferred method of a portion of the operation of 
the control module 2^0 of Fig. 7A; and 

Fig. 8 is a simplified flowchart illustration 
of a preferred method of operation of the handwriting 
recognition module 210 of Fig. 7A . 

Attached to the end of the specification are 
the following appendices which aid in the understanding 
and appreciation of one preferred embodiment of the 
invention shown and described herein: 

Appendix A is a specification listing useful in 
understanding the apparatus of Fig. 4; 

Appendix B is a netlist of the apparatus of 
Fig. 6; and 

Appendix C is a part list of the apparatus of 

Fig. 6. 

Reference is now made to Fig. 1 which is a 
simplified pictorial illustration of a secure computer 
system constructed and operative in accordance with a 
preferred embodiment of the present invention. The 
system of Fig. 1 comprises a terminal 10. The terminal 
10 preferably comprises a display screen 15 and a plural- 
ity of data input keys 20. Preferably, the terminal 10 
is sufficiently small to be portable. 

The terminal 10 is described in more detail 
below with reference to Fig. 2. 

The terminal 10 is operatively attached to a 
movement-sensing pen 25, operative to write on any appro- 
priate surface such as a sheet of paper 27. The pen 25 
is described in more detail below with reference to Fig. 
4 . 
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The pen 25 and the terminal 10 are shown in 
Fig. 1 as being operatively attached via a cable, but it 
is appreciated that any appropriate method of attachment 
as, for example, wireless communication, may be used. 

The terminal 10 comprises data communication 
apparatus (not shown in Fig. 1) which is operative to 
provide a data communication connection 30 to a server 
35. As shown in Fig. 1, the data communication connec- 
tion 30 is a remote data communication connection and may 
be any appropriate remote data connection such as, for 
example, a modem connection over switched telephone line 
or a modem connection over a dedicated telephone line. 
Alternatively, the data communication connection 30 may 
be a local connection and the server 35 may be located 
locally to the terminal 10. 

The server 35 may be any appropriately pro- 
grammed computer. 

The server 35 comprises a handwriting recogni- 
tion database 40. The handwriting recognition database 
40 comprises a per-person, per-symbol database identify- 
ing handwriting characteristics for each of a plurality 
of persons, and, for each person, for each of a plurality 
of symbols. The per-person, per-symbol database is 
described in more detail below with reference to Fig. 8. 

In a preferred embodiment of the present inven- 
tion, the server 35 is located in a secure location 42. 
The secure location 42 restricts access to the server 35 
and thus enhances security with the system of Fig. 1 by 
preventing tampering with the database 40 or with other 
aspects of the server 35- 

The system of Fig. 1 also preferably comprises 
other nodes 44 which, together with the terminal 10 and 
the server 35, comprise nodes of a communications net- 
work. 

The operation of the apparatus of Fig. 1 is now 
briefly described. A user establishes a connection with 
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the server 35 through the terminal 10, using the data 
input keys 20 for data entry. Establishing a connection 
includes providing the identity of the user, typically by 
entering a personal identification number (PIN) using the 
data input keys 20. It is appreciated than any means of 
providing the identity of the user may be employed, such 
as, for example, the following means which are well-known 
in the art: signature recognition; electronic key or 
electronic card based recognition; fingerprint identifi- 
cation; retina identification; or any other means of 
identification . 

The server 35 receives the connection request 
from the terminal 10, verifies the identity of the user, 
and, if the identity is verified successfully, establish- 
es a connection with the terminal 10. Typically, the 
server 35 displays a message on the screen 15 indicating 
that a connection has been established. 

Once a connection has been established, the 
user employs the terminal 10 and the pen 25 for data 
entry, which data is transmitted to the server. Typical- 
ly, a combination of data entry via the data input keys 
20 and via the pen 25 is employed, although it is possi- 
ble to employ the pen 25 alone. 

The user employs the pen 25 to write on a 
surface such as the paper 27. The pen 25 is operative to 
sense movement of the pen 25 and to transmit signals 
representing the movement to the terminal 10, which in 
turn transmits the signals via the data communication 
connection 30 to the server 35. 

The server 35 employs handwriting recognition 
techniques, as described below with reference to Fig. 8. 
The handwriting recognition techniques employ the per- 
person, per-symbol database 40 to identify, for the 
person previously verified as the user, the most likely 
symbol written. 

Preferably, the handwriting recognition tech- 
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niques also use a dictionary of words to provide word- 
level recognition, and linguistic analysis to recognize 
phrases and sentences. As the user employs the pen and 
as symbols are recognized by the server 35, the server 35 
typically transmits the recognized symbols to the termi- 
nal 10 for display on the screen 15, to provide feedback 
to the user. 

As described below with reference to Fig, 8, 
recognition is based on hand movements which are unique 
to a given individual. When the verified user writes 
with the pen 25, the server 35 recognizes the symbols 
written based on the per-person, per-symbol characteris- 
tics stored in the database 40. 

If another person other than the verified user 
begins to write with the pen 25, the server 35 will not 
correctly recognize the symbols since the unauthorized 
other person will employ different hand movements than 
the verified user. The server 35 may make a determina- 
tion that the user is unauthorized, that is, is not the 
verified user, based on any appropriate criteria such as, 
for example: 

inability of the server 35 to recognize more 
than a minimum percentage of symbols input, which minimum 
percentage may vary from individual to individual and 
from application to application according to the security 
level required; 

significant misrecogni tion determined at the 
word level, based on more than a maximum percentage of 
words that are not in the dictionary being recognized; or 

any other appropriate criterion. 

Alternatively, since the server 35 will not 
correctly recognize the symbols written by the unauthor- 
ized person, the system will ipso facto cease to operate 
in response to pen input by the user and thus no determi- 
nation by the server 35 is necessary. 

It is appreciated that the various functions 
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assigned above to the server 35 may alternatively be 
performed within the terminal 10, in which case the 
various elements of the server 35 would be incorporated 
into the terminal 10. Further alternatively, it is 
appreciated that the pen 25 may be located locally to the 
server 35 and may be directly connected thereto without 
use of a terminal 20 or a communication link 30. 

Reference is now made to Fig. 2, which is a 
simplified block diagram illustration of a preferred 
embodiment of a portion of the apparatus of Fig. 1. The 
apparatus of Fig. 2 comprises the terminal 10 of Fig. 1. 

The apparatus of Fig. 2 comprises the display 
15t comprising a display subsystem such as, for example, 
a PC0024-A LCD module, commercially available from Power- 
tip Technology Corporation, N° 18 - 3 Nan 2 nd Rd. 
T.E.P.Z., Tanzu, Taichung, Hsien, Taiwan, R.O.C. It is 
appreciated that another display subsystem, such as a 
subsystem with graphics capability, may also be used. 

The apparatus of Fig. 2 also comprises the data 
input keys 20, comprising a keyboard module such as, for 
example, a 88BB2-072 keyboard x k matrix module, com- 
mercially available from Grayhill, Inc., 561 Hillgrove 
Ave., La Grange IL 60525-0373, USA. 

The apparatus of Fig. 2 also comprises a pen 
interface module 45, which is operative to provide an 
electronic data connection between the terminal 10 and 
the pen 25. The pen interface module 45 may be any 
suitable interface as, for example, a commercially avail- 
able RS-232 interface with associated line driver. 

The apparatus of Fig. 2 further comprises a 
microcontroller 50 which is operative to control opera- 
tions of the terminal 10 and to control two-way communi- 
cations with the server 35. The microcontroller may be 
any suitable microcontroller such as, for example, a 
PIC17C42 high-performance 8 bit EPR0M microcontroller, 
commercially available from Microchip Technology Inc., 
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2311 West Chandler Blvd., Chandler, AZ 85224-6199. USA. 

The apparatus of Fig. 2 further comprises a 
communication module 55, suitable to provide the data 
connection 30 over the medium being used for the data 
connection 30. In the case of a modem connection over a 
telephone line, a suitable communication module 55 com- 
prises the AK14-D007-OO1 t commercially available from 
Rockwell International, Digital Communication Division, 
4311 Jamboree Road, P.O. Box C, Newport Beach, CA , 92658- 
8902, USA. 

The microcontroller 50 is preferably connected 
to the other elements of Fig. 2 as follows: 

to the display 15 via both data and control 
connec tions ; 

to the data input keys 20 via a data connec- 
tion ; 

to the pen interface module 45 via a data 
connection; and 

to the communication module 55 via both data 
and control connections. 

Optionally, the apparatus of Fig. 3 may also 
comprise a memory module (not shown). In this case, the 
terminal 10 may be operative to store signals received 
from the pen 25 and/or commands received from the data 
input keys 20, and transmit the same at a later time. It 
is appreciated that, in this case, the terminal 10 may be 
used for standalone input and may not actually be con- 
nected to the data communication connection 30 at the 
time of input. 

Reference is now made to Fig. 3. which is a 
schematic diagram of a preferred embodiment of the appa- 
ratus of Fig. 2. The diagram of Fig. 3 is self-explana- 
tory . 

Reference is now made to Fig. 4 which is a 
simplified pictorial illustration of a preferred embodi- 
ment of the pen 25 Fig. 1. 
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The apparatus of Fig. 4 comprises a top case 
60, a bottom case 65, and a supporting element 70 all 
preferably formed of plastic. The apparatus of Fig. 4 
also comprises a refill holder 75, preferably formed of 
plastic and shaped to hold a standard pen refill 80. 

The apparatus of Fig. 4 further comprises a 
switch 85. The switch 85 is positioned relative to the 
refill holder 75 such that, when a user of the pen 10 
presses the tip of the refill 80 against a surface. the 
refill holder 75 actuates the switch 85. The switch 85, 
when actuated, sends a signal to a microcontroller 100. 

The switch 85 is preferably formed of silicone 
rubber, with key travel of 0.2 mm, activation force 20 
30 gram, activation time less than 1 millisecond, and 
maximum contact resistance 500 ohm. 

Reference is now additionally made to Figs. 5A 
and 5B, which are pictorial illustrations of a preferred 
implementation of the switch 85 of Fig. 4. The apparatus 
of Figs. 5A and 5B comprises the switch 85, the refill 
holder 75. and the pen refill 80. In Fig. 5A, the switch 
85 is depicted in a state where the pen refill 80 is not 
in contact with a surface. In Fig. 5B f the switch 85 is 
depicted in a state where the pen refill 80 is in contact 
with a surface, such that the refill holder 75 actuates 
the switch 85. 

The apparatus of Fig. 4 also comprises a 3- 
dimensional accelerome ter 90, which is operative to sense 
accelerations in three mutually orthogonal directions and 
to output a signal representing the sensed accelerations. 
Taking into account optimum shaping of the pen 25 to fit 
the hand of a user, the accelerome ter 90 is preferably 
located as close as possible to the tip end of the pen 
25. 

The accelerometer 90 may, for example, be an 
ACH-04-08, commercially available from AMP Sensors, Inc., 
P.O. Box 799, Valley Forge, PA 19482, USA, modified 
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according to the specifications found in Appendix A. 
Such modified accelerome ters are commercially available 
from BarOn Technologies Ltd., Gutwirth Science Park, 
Technion City, Haifa 32000 t Israel. 

Alternatively, a single accelerome ter or three 
accelerome ters mounted mutually orthogonally to each 
other may be used. 

The apparatus of Fig. 4 also includes an opera- 
tional amplifier 95, such as a LMC 6464, commercially 
available from National Semiconductor Corporation, 2900 
Semiconductor Drive, Santa Clara, CA 95052-8090, USA . 

The microcontroller 100 preferably includes an 
analog-to-digital converter. An example of a suitable 
microcontroller is the PIC16C71. commercially available 
from Microchip Technology Inc., referred to above. 

The apparatus of Fig. k also comprises a print- 
ed circuit board (PCB) 105- The switch 85 • the acceler- 
ometer 90, the operational amplifier 95* and the micro- 
controller 100 are all mounted on the printed circuit 
board 105. Reference is now additionally made to Fig. 6, 
which is a schematic diagram of a preferred implementa- 
tion of the printed circuit board 105. Reference is now 
also additionally made to Appendix B, which is a netlist 
of the apparatus of Fig. 6, and to Appendix C, which is a 
part list of the apparatus of Fig. 6. Fig. 6 is self- 
explanatory with regard to Appendices B and C. 

The apparatus of Fig. 4 also comprises a cable 
110, preferably having a strain relief apparatus 115. and 
terminating in a data connector 120. The data connector 
120 may be any appropriate data connector, and is typi- 
cally an RS-232 connector. 

During operation, the accelerome ter 90 measures 
movement of the pen 25 and sends signals representing the 
acceleration to the operational amplifier 95. The opera- 
tional amplifier 95 amplifies the signals and sends them 
to the microcontroller 100. At the same time, the switch 
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85 sends signals indicating whether the refill 80 is in 
contact with a surface to the microcontroller 100. 

The microcontroller 100 digitizes the received 
signals and sends digital signals through the cable 110 
and connector 120. The signals preferably comprise an 
indication of whether the refill 80 is in contact with 
surface, as indicated by the position of the switch 85. 
The signals also comprise movement data based on acceler- 
ations measured by the accelerome ter 90. Preferably, the 
signals sent by the microcontroller 100 comprise approxi- 
mately 100 samples per second. 

Typically, the pen 25 receives electrical power 
through the cable 110 from the data connector 120. 

It is appreciated that a particular advantage 
of the present invention is that continuous security by 
means of continuous handwriting recognition of the indi- 
vidual using the system may occur repeatedly or continu- 
ously during use of the system rather than occurring only 
at the beginning of a session. It is also appreciated 
that a particular advantage of the present invention is 
that the security criterion is based on a biometric 
characteristic and, unlike systems based on a PIN or 
password, is not based on something known by a user, but 
rather on characteristics of the user himself. 

Reference is now made to Fig. 7A, which is a 
simplified block diagram illustration of a preferred 
implementation of the server 35 of Fig. 1. The elements 
of Fig. 7A comprise functional components of the server 
35, and are typically implemented in software, but may be 
implemented in a combination of software and hardware or 
in hardware . 

The apparatus of Fig. 7A comprises a terminal 
communication module 200. which is operative to transmit 
data in both directions between the terminal 10 of Fig. 1 
and the apparatus of Fig. 7A. The data received from the 
terminal 10 may comprise signals representing movement or 
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acceleration of the pen 25; the status of contact between 
the pen 25 and the surface 27; and commands representing 
entries made on the data input keys 20. 

The terminal communication module receives data 
to be sent to the terminal 10 from a control module 240 
described below, and supplies data received from the 
terminal 10 to the control module 240. The terminal 
communication module 200 may utilize conventional methods 
which are well known in the art. 

The apparatus of Fig. 7A also comprises a 
handwriting recognition module 210. The handwriting 
recognition module 210 has a plurality modes of opera- 
tion, comprising training mode and recognition mode. 

In training mode, the operation of the hand- 
writing recognition module 210 is as follows. The user 
writes symbols from a pre-arranged script known to the 
handwriting recognition module 210, and the associated 
symbols appear on the display 15 of Fig. 1 during the 
writing. Preferably, the pre-arranged script contains 
several repetitions of each symbol. Preferably, based on 
the experience of the inventor, the symbols should occur 
in different parts of the word, such as beginning, mid- 
dle, and end, throughout the pre-arranged script. The 
handwriting recognition module 210 is operative to pro- 
duce the database 40 based on the movement data received 
during training mode. 

It is appreciated that the database 40 may be 
produced other than in training mode. For example, the 
database 40 may be externally loaded into the server 35 
based on a similar process of training which occurred 
with other equipment. The other equipment may be similar 
to the system of Fig. 1 or may omit the terminal 10 and 
comprise the pen 25 and the server 35- 

In recognition mode, the operation of the 
handwriting recognition module 210 is as follows. The 
handwriting recognition module 210 receives a message 
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from the control 240 indicating the identity of the 
user. The handwriting recognition module 210 is then 
operative to receive signals representing movement of the 
pen 25 and pen-surface contact of the pen 25 with the 
surface 27 f through the terminal 10, from the control 
240. 

The handwriting recognition module 210 is 
operative to produce text based on the received signals 
and to send the text to the control 2**0. The handwriting 
recognition module 210 is also operative to determine an 
index of likelihood for the produced text, the index of 
likelihood representing the likelihood that the produced 
text is the correct interpretation of the movements of 
the pen 25 which produced the received signals. The 
index of likelihood preferably includes an indication, 
such as a likelihood of 0, that handwriting can not be 
recognized at all, so that no meaningful text is pro- 
duced. The handwriting recognition module is also 
operative to send the index of likelihood to the control 
module 240. The operation of the handwriting recognition 
module 210 is described more fully below with reference 
to Fig. 8. 

As describe above with reference to Fig. 1 and 
below with reference to Fig. 8, it is appreciated that an 
attempt to use the pen 25 by a user other than the iden- 
tified user of the system will lead to a very low recog- 
nition rate. 

The apparatus of Fig. 7A also comprises one or 
more applications 230. Each application 230 may be any 
appropriate computer application, capable of running on 
the server 35, and preferably having network communica- 
tion capabilities. Examples of suitable applications 
include the following: 

electronic mail applications; 

bi-directional paging and messaging applica- 
tions ; 
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network services applications, such as Internet 
applications; and 

other applications . 

Each application 230 is operative to receive 
text input from the control module 240, representing text 
produced by the handwriting recognition module 210. Each 
application 230 is also operative to send output to the 
control module 240, for forwarding through the terminal 
communication module 200 to the terminal 10. 

The apparatus of Fig. 7A also comprises a 
control module 240. The control module 240 is operative 
as described above to send and receive data to and from 
the terminal communication module 200, the handwriting 
recognition module 210, and the applications 230. 

The control module 240 is operative, when 
receiving data, to determine the destination of the data 
and to forward the data to the appropriate destination. 
For example, when receiving data from the terminal commu- 
nication module 200 representing movement of the pen 25* 
the control module 240 is operative to send the data to 
the handwriting recognition module 210. When receiving 
data from the terminal communication module 200 repre- 
senting a press of one or more of the data input keys 20 
indicating a command sequence, the control module 240 is 
operative to carry out the command received. 

Preferably, the control module 240 is operative 
to determine whether data received from the terminal 
communication module 200 represents movement of the pen 
25 or a press of one or more of the data input keys 20 by 
examining the data received. For example, a particular 
binary or hexadecimal sequence, for example hexadecimal 
FF , might be used to indicate a key press in the follow- 
ing one or more bytes of data, while all other values 
ranging from hexadecimal 00 to hexadecimal FE might be 
used to indicate pen movement data. 

The control module 240 is also operative, based 
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on the index of likelihood received from the handwriting 
recognition module 210, to determine whether the present 
user of the pen 25 is not the identified user. 

Typically, the control module 2k0 is operative 
to make the determination that the present user is not 
the identified user based on a comparison of the likeli- 
hood received with a minimum likelihood criterion. 
Typically, the minimum likelihood criterion comprises a 
minimum likelihood level and minimum duration of time 
below said minimum likelihood level, so that a determina- 
tion that the present user is not the identified user 
would typically be based on the likelihood level being 
below the minimum likelihood level for at least the 
minimum duration of time. 

The minimum likelihood criterion may vary with 
respect to requirements of a particular application 230, 
described below, or may vary according to the identified 
user. The variation according to the identified user is 
believed to increase the level of accuracy of security 
achieved because some users write in a more consistent 
way than other users, so that the more consistent users 
can be expected to produce a higher index of likelihood, 
and hence may be assigned a higher minimum likelihood 
criterion, than the less consistent users. 

Upon making a determination that the present 
user is not the identified user, the control module 240 
is preferably operative to take some action to secure 
communications, typically to command the terminal commu- 
nication module 200 to end the communication session with 
the terminal 10. 

Reference is now made to Fig. 7B, which is a 
simplified flowchart illustration of a preferred method 
of a portion of the operation of the control module 2*10 
of Fig. 7A. The method of Fig. 7B is a preferred method 
for determining whether the present user of the pen 25 
is not the identified user. The method of Fig. 7B is 
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self-explanatory with respect to the above discussion of 
Fig- 7A. 

Alternatively to the method described above 
wherein the control module 240 takes some action to 
secure communication, it is appreciated that, since the 
handwriting recognition module 210 will not correctly 
recognize the symbols written by the unauthorized person, 
the system will ipso facto cease to operate in response 
to pen input by the user, and no determination by the 
control module 240 is necessary. 

Reference is now made to Fig. 8, which is a 
simplified flowchart illustration of a preferred method 
of operation of the handwriting recognition module 210 of 
Fig. 7A. The method of Fig. 8 preferably includes the 
following steps: 

STEP 310: Receive accelerome ter data. Accel- 
erometer data is received from the control module 240. 
The accelerome ter data comprises data points representing 
sampling of the acceleration measured by the pen 25- 
Preferably, the sampling rate is approximately 1600 data 
points per second, averaged over 16 points, producing an 
output of approximately 100 data points per second. 

STEP 315: Identify individual symbols and 
words. The data from the previous step is divided into 
data representing individual symbols. The status which 
comprises the status of "pen up" is termed herein "pen 
not down". Preferably, the number of consecutive data 
points with status of "pen not down", which data points 
represent a particular duration of the status "pen not 
down" , is taken to indicate the end of a symbol or of a 
word . 

Typically, the duration of status "pen not 
down" within a range from 200 milliseconds to 400 milli- 
seconds is taken to indicate the end of a symbol. Dura- 
tion of the status "pen not down" in the range from 800 
milliseconds to 1200 milliseconds is typically taken to 
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indicate the end of a word. 

Alternatively, the end of a symbol or of a word 
may be indicated by data points which represent pen 
movements that are not part of a symbol, or by other 
means . 

Further alternatively, it is possible to dis- 
cern the end of a word or symbol via analysis based on a 
dictionary and/or on linguistic rules, similarly to the 
method described below with reference to step 420, 

STEP 330: Filter accelerome ter data. The 
accelerometer data received from the previous step is 
filtered in order to remove noise. The filtering may be 
accomplished by iterative smoothing of adjacent points 
until the total change in the signal due to a smoothing 
operation is less than the desired accuracy of the data, 
or by other suitable means. 

STEP 400: For each prototype in the per-person 
per-symbol acceleration prototype database, build an 
index of comparison between the sample and the prototype. 

STEP 410: Create a list of probable symbols 
sorted by likelihood. Based on the index of comparison 
generated in step 400, a single list of probable symbols 
sorted by likelihood is generated. 

STEP 420: Choose the correct symbols and the 
correct word based on the list, the database of previous 
confusions, a dictionary, and linguistic rules. The 
symbols with greatest likelihood are the candidates from 
which the correct symbol is chosen. 

The database of previous confusions provides 
information that allows the correction of the choice of 
the correct symbol based on previous incorrect identifi- 
cations . 

An indication of the end of each word has been 
passed as output since step 315, described above. Based 
on the indication, the most likely word, comprising the 
most likely identifications for each symbol in the list, 
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is identified. 

Alternatively, an attempt may be made to find 
likely words, based on use of the dictionary and on 
applying linguistic rules as described below, without 
regard to data indicating the end of each word. It such 
a case, letters are accumulated and the accumulated 
letters are checked continuously in order to find the 
best option for a likely word. For example, if the word 
"slow" has already been identified in the accumulated 
letters, and the letters "ly" are next identified, an 
additional possibility is now noted that the identifica- 
tion of "slow" may be replaced with an identification of 
"slowly". If the next letter identified does not create 
a possible word beginning with "ly", the identification 
of "slowly" is preferred over the identification of "slow 
ly". In the case of this alternative, step 315 may be 
optional . 

The most likely word is checked against the 
dictionary. Preferably, the dictionary comprises both a 
general dictionary used for all users of the system and a 
personal dictionary for each user of the system. If an 
entry exists in the dictionary for the most likely word, 
the word is chosen as the correct identification. 

If the most likely word is not found in the 
dictionary, all possible word combinations in the list 
are formed and each is checked against the dictionary. 
Among all such words which are found in the dictionary, 
the word with the highest likelihood is then chosen as 
the correct identification. 

If none of the words is found in the diction- 
ary, the most likely word is chosen as the correct iden- 
tification . 

STEP 440: Update database of previous confu- 
sions. Based on a manual correction entered by the user 
or an automatic correction based on the dictionary and/or 
on the application of linguistic rules, the database of 
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previous confusions is updated. Based on a manual cor- 
rection, the personal dictionary is also updated if the 
corrected word is not found in the dictionary. 

STEP 450: Update per-person per-symbol accel- 
eration prototype database. The new prototype from the 
previous step are stored in the per-person per-symbol 
acceleration prototype database. 

Step 460: Output recognition information. The 
sorted list of likely words output by the previous step 
is output to the control module 240. 

It is appreciated that the software components 
of the present invention may, if desired, be implemented 
in ROM (read-only memory) form. The software components 
may, generally, be implemented in hardware, if desired, 
using conventional techniques. 

It is appreciated that the particular embodi- 
ment described in the Appendices is intended only to 
provide an extremely detailed disclosure of the present 
invention and is not intended to be limiting. 

It is appreciated that various features of the 
invention which are, for clarity, described in the con- 
texts of separate embodiments may also be provided in 
combination in a single embodiment. Conversely, various 
features of the invention which are, for brevity, de- 
scribed in the context of a single embodiment may also be 
provided separately or in any suitable subcombination. 

It will be appreciated by persons skilled in 
the art that the present invention is not limited to what 
has been particularly shown and described hereinabove. 
Rather, the scope of the present invention is defined 
only by the claims that follow. 
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APPENDIX A 



3 -Axis (X. Y, i 



Z) Accelerometer with JFET Impedance Buffers 

MiD Tvpc Max SZnita 



SEIiciCi^ • STAxiT^Tolerance 



y-Axis Max Tolerance 
2 -Axis Max Tolerance 
within one Lot 



2.25 3.00 3.75 mV/g 
2.25 3.00 3.75 mV/g 
1.50 2.00 2.30 mV/g 
*15% of Average Lot 
Value and within Max 
Tolerance . 



Frequency Range 

- 3dB 
. 3dB 

Resonant Frequency 
Resonant Q 
Linearity 
Dynamic Range 
Noise 1Hz 

XOHz 

i . OOOHZ 

Transverse Sensicivity 
Temperature Transient Sensitivity 
Base Strain Sensitivity 

fT | F rTRTCAL cpfPTFTPATIONS (T-2SC) 

Gate-Drain Voltage 

Gate -Source Voltage 

Gate Current 

Power Dissipation 

Power Derating 

Gate -Source Cutoff Voltage (V os/0 rr) 
Saturation Drain Current (I 0 .#>** 
CA Forward Transconductance <g r »>*' 
Cutpouc impedance' 



0.5 0.7 



1.5 
6.0 



1.0 



-30 
-30 



-0.5 

10 

SO 



1 . o 
0.1 

4 .2 

0.7 

0 . X 

10 

TBD 

TBD 



1.0 



20 



10 

360 

3.27 --- 

-1.8 

150 

210 

180 



Hz 

kHz 

kHz 

Hz/Hz 

%Reading 

g's 

mg/V^Mx 

mg/VHZ 
rog/Viu 

% 

g/c 
g/M< 



v 
v 
mA 

mW 

mW/C 

V 

MA 

US 



SUBSTITUTE SHEET (RULE 26) 
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APPENDIX A CONTINUED 



FT JVIRONMENTAL SPECIFICATIONS 

Operating Temperature 4 

S t o rage Tempe r a t ur e 

Operating Relative Humidity 

Operating Altitude 

Storage Altitude 

Weight 



95 % Non - Condensing 
-400 to 10,000 feet 
5,000 g's, any axis 
0.3 5 Grams Typical 



0C to +75C 



-40C to +110C 



NOTES : 

1: Reference frequency is 335Hz unless otherwise noted, 
2: Assumes constant current bias, guarded Drawn 6 Source. 
3: Output impedance is user selected. Type values: 180kC? for 
aplit & 20 kO for single supply. 

4 : Nominal sensitivity will typically change ±5% over this 
range . 
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MET 'NOOOOl' U5-3 C250-2 R157-1 
MET 'MOO002' R15-2 U3-4 
MET 'MO0003' R12-1 D 1 —CATHODE 
MET 'NO0004' R12-2 Jl-3 

MET 'M00005' US-1 R159-2 C253-2 C256-1 

MET 'N00006' C256-2 R22-1 TF_ICT1-1 U2-3 

MET 'N00007' R155-2 Q 3 -BASE Q2-BASE Ql-BASE Q4-BASE 

MET 'MO 0007' Q4 -COLLECTOR 

MET 'N00008' U5-2 R158-2 R159-1 C253-1 

MET 'N00009' U2-1 R19-2 C22-2 R17-1 

MET 'M00010' R17-2 TP_ICT4-1 U3-1 

MET 'N00011' Ul-2 Q 3 - COLLECTOR C250-1 

MET 'N00012' U2-2 R20-2 R19-1 C22-1 

NET 'N00013' R150-2 Ul-4 Ul-7 Ul-10 Ul-14 

MET 'N00013' R1S1-1 

MET 'N00014' Dl— ANODE Jl-2 Q7-COLLECTOR 
NET 'N00015' U3-18 TP_ICT6-1 R18-2 
NET 'NOO016' Q 3— EMITTER R152-1 

NET 'N00017' Rl-2 R22-2 R20-1 R160-2 R157-2 

NET 'N00017' R158-1 R161-1 R7-1 U2-14 U2-13 

NET 'N00017' R163-2 R164-1 R25-2 R23-1 

MET 'N00018' U3-17 TP_ICT5-1 R8-2 

NET 'N00019' U3-9 R13-1 

NET 'N00020' R13-2 Q7-BASE 

NET 'N00021' Q7— EMITTER Rll-1 

NET 'NOO022' Jl-4 D2 -ANODE 

MET 'N00023' Jl-5 D3 -ANODE 

MET 'N00024' R14-2 U3-6 SW1-NO 

NET 'N00025' Ul-6 Q 2 - COLLECTOR C251-1 

NET 'N00026' U3-16 Yl-1 C20-1 

NET 'N00027' U3-15 Yl-2 C19-1 

NET 'NOO028' C251-2 R160-1 U5-5 

NET 'N00029' U5-7 R162-2 C254-2 C257-1 

MET 'N00030' C257-2 Rl-1 TP_ICT2-1 U2-5 

NET 'N00031' U5-6 R161-2 R162-1 C254-1 

NET 'N00032' U2-7 R6-2 Cll-2 R8-1 

MET 'N00033' Ul-12 Q1-C0LLECTOR C252-1 

MET 'N0O034' U2-6 R7-2 R6-1 Cll-1 

MET 'NOO035' Q2 -EMITTER R153-1 

NET 'NOO036' D 2— CATHODE U4-2 D3 -CATHODE C16-1 

MET 'N00037' C252-2 R163-1 U5-10 

MET 'NOO038' R9-2 C21-1 U2-12 R10-1 

MET 'N0O039' U5-8 R165-2 C255-2 C258-1 

MET 'HOO040' C258-2 R25-1 TP_ICT3~1 U2-10 

MET 'M00041' U5-9 R164-2 R165-1 C255-1 

NET 'N00042' U2-8 R21-2 C23-2 R18-1 

NET 'N0O043' U2-9 R23-2 R21-1 C23-1 

NET 'N00044' Ql— EMITTER R154-1 

NET 'N00045' Q4 —EMITTER R156-1 

NET 'VCC U4-4 CI 7 -PLUS R9-1 R14-1 Rll-2 

NET 'VCC Ul-1 R150-1 Ul-5 Ul-11 R155-1 

NET 'VCC U2-4 U5-4 R15-1 U3-14 C18-1 

NET 'AGND' TP_KEC1-1 TP.MEC2-1 TP_MEC3-1 TP_MEC4-1 R156-2 

MET 'AGND' U5-12 U5-13 CI 7— MINUS R154-2 C21-2 

NET 'AGND' R10-2 C16-2 U4-3 U4-1 SW1-COMMON 

MET 'AGND' R153-2 Ul-3 Ul-8 Ul-9 Ul-13 

NET 'AGND' R151-2 C19-2 C20-2 U3-2 U3-3 

NET 'AGND' Jl-1 Jl-101 Jl-102 R152-2 U2-11 

MET 'AGND ' U5-11 C18-2 U3-5 
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CLAIMS 

1. A secure computer system comprising: 

at least one node connected to a communications 
network; and 

a pen input device providing an output to said 
at least one node, 

said node including handwriting recognition 
apparatus operative to receive the output of said pen and 
during substantially the entire duration of the data 
input from said pen to convert the output of the pen into 
writing characters, by recognizing the characteristics of 
the handwriting of a user of said pen and comparing said 
characteristics with reference characteristics, whereby 
successful communication is conditional on successful 
conversion of the output of the pen into writing charac- 
ters . 

2. A secure computer communications system com- 
prising: 

a communications network; 

at least one terminal coupled to said communi- 
cations network; 

at least one server coupled to said communica- 
tions network; and 

a pen input device communicating via said at 
least one terminal with said server, and wherein 

said server includes handwriting recognition 
apparatus operative to receive the output of said pen and 
during substantially the entire duration of the data 
input from said pen to convert the output of the pen into 
writing characters, by recognizing the characteristics of 
the handwriting of a user of said pen and comparing them 
with reference characteristics, whereby successful commu- 
nication of information via said server is conditional on 
successful conversion of the output of the pen into 
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writing characters. 

3- A secure computer communications system accord- 

ing to claim 2 and wherein communication from said pen 
input device to said server is secure by virtue of said 
communication being unintelligible in the absence of the 
availability of the reference characteristics. 

• A secure computer communications system accord- 

ing to claim 3 and wherein said server is located in a 
secure location. 

5- A secure computer communications system accord- 
ing to claim 2 and wherein said pen input device com- 
prises an accelerometer and provides accelerometer output 
signals to said terminal. 

6- A secure computer communications system accord- 
ing to any of claims 2-5 and wherein said at least one 
terminal includes a display and is operative to provide 
visible indication of recognized symbols in response to 
an input from said server. 

7- A secure computer communications system accord- 
ing to any of claims 2-6 and wherein said at least one 
terminal includes a keyboard for the input of function 
commands . 

8 * A system according to any of the preceding 

claims and wherein information input by the pen input 
device, when and only when successfully recognized, is 
communicated to a utilization device. 

9- A system according to any of the preceding 

claims and wherein said characteristics of the handwrit- 
ing of the user comprise a mapping of hand movements, and 
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wherein said reference characteristics comprise 
a reference mapping of hand movements for said user. 

10. A system according to claim 9 and wherein said 
reference mapping comprises a mapping of hand movements 
to characters for said user. 

11. A system according to any of the preceding 
claims and wherein said successful communication is not 
conditional on any other user input in order to achieve 
security . 

12. A system according to any of the preceding 
claims and wherein said successful communication is not 
conditional on use of any additional system resources in 
order to achieve security. 

13. A method for providing a secure computer sys- 
tem, the method comprising: 

providing at least one node connected to a 
communications network; and 

providing a pen input device providing an 
output to said at least one node, 

said node including handwriting recognition 
apparatus operative to receive the output of said pen and 
during substantially the entire duration of the data 
input from said pen to convert the output of the pen into 
writing characters, by recognizing the characteristics of 
the handwriting of a user of said pen and comparing said 
characteristics with reference characteristics, whereby 
successful communication is conditional on successful 
conversion of the output of the pen into writing charac- 
ters . 

14. A method for providing a secure computer commu- 
nications system, the method comprising: 
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providing a communications network; 

providing at least one terminal coupled to said 
communications network ; 

providing at least one server coupled to said 
communications network; and 

providing a pen input device communicating via 
said at least one terminal with said server, and wherein 

said server includes handwriting recognition 
apparatus operative to receive the output of said pen and 
during substantially the entire duration of the data 
input from said pen to convert the output of the pen into 
writing characters, by recognizing the characteristics of 
the handwriting of a user of said pen and comparing them 
with reference characteristics, whereby successful commu- 
nication of information via said server is conditional on 
successful conversion of the output of the pen into 
wri ting characters . 
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